An introduction to GDPR

The information in this article is for general guidance only. The application and impact of GDPR can vary wildly on a case-to-case basis. As such, this document is NOT a substitute for consulting with professional legal advisers.

The General Data Protection Regulation (GDPR) was adopted in April 2016 and became enforcable on May 25th 2018.

This regulation is designed to provide EU citizens with better control over their personal data, and requires any company which stores and uses the personal data of EU citizens to take steps to protect that data and e.g. make it available for the user to download.

Personal data is any information relating to a person who can be identified directly or indirectly, such as ”(...)a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Furthermore, personal data may only be collected if a user consents to it. A consent is a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Consents must consist of clearconcise and granular positive opt-ins such as:

  • Consent to receive newsletters
  • Consent to using previous purchases to show personalized suggestions
  • Etc.

Or in other words; the user must be informed about precisely which data you want to use, why you are collecting it, and what you want to use it for, and must actively elect to give consent to that activity – a consent cannot be collected using e.g. pre-ticked boxes or other methods for default consent.

Again, don’t take our word for it - please consult a legal professional.

To be GDPR compliant, you typically need to handle four tasks:

  • Create concise and granular opt-ins
  • Collect consents based on the opt-ins
  • Check for consents when doing stuff, like sending emails
  • Make user data available for download in frontend

In Dynamicweb:

Bear in mind that you don’t have to use these tools to be GDPR compliant – consents collected via other sources (e.g. phonecalls) – can simply be stored in a set of custom fields. The Data Processing app is simply a convenient tool for storing consents which are obtained using our system.

If you store email-consents in custom fields, you will have to uncheck these custom fields on unsubcribes – this can be done via the Dynamicweb users recipient provider settings.